@reliabilityworks/analyzer-javascript 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@reliabilityworks/core';
+export declare const JAVASCRIPT_RULES: Rule[];
+export declare function getJavaScriptRules(): Rule[];
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,wBAAwB,CAAA;AAElD,eAAO,MAAM,gBAAgB,EAAE,IAAI,EA8DlC,CAAA;AAED,wBAAgB,kBAAkB,IAAI,IAAI,EAAE,CAE3C"}

package/dist/index.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JAVASCRIPT_RULES = void 0;
+exports.getJavaScriptRules = getJavaScriptRules;
+exports.JAVASCRIPT_RULES = [
+    {
+        id: 'javascript/dangerous-eval',
+        severity: 'high',
+        title: 'Use of eval()',
+        description: 'eval() can execute arbitrary code and is often a sign of injection risk.',
+        matcher: {
+            type: 'regex',
+            fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+            pattern: '\\beval\\s*\\(',
+            message: 'eval() usage detected',
+        },
+    },
+    {
+        id: 'javascript/dangerous-new-function',
+        severity: 'high',
+        title: 'Use of new Function()',
+        description: 'The Function constructor evaluates strings as code and can lead to injection.',
+        matcher: {
+            type: 'regex',
+            fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+            pattern: '\\bnew\\s+Function\\s*\\(',
+            message: 'new Function() usage detected',
+        },
+    },
+    {
+        id: 'javascript/child-process-exec',
+        severity: 'high',
+        title: 'Use of child_process.exec/execSync',
+        description: 'Executing shell commands from application code can be risky, especially with user-controlled input.',
+        matcher: {
+            type: 'regex',
+            fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+            pattern: '\\bchild_process\\.(?:exec|execSync)\\s*\\(',
+            message: 'child_process.exec or child_process.execSync usage detected',
+        },
+    },
+    {
+        id: 'javascript/tls-reject-unauthorized-disabled',
+        severity: 'critical',
+        title: 'TLS verification disabled',
+        description: 'Disabling TLS verification allows man-in-the-middle attacks.',
+        matcher: {
+            type: 'regex',
+            fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+            pattern: '\\bNODE_TLS_REJECT_UNAUTHORIZED\\s*=\\s*[\'"]?0[\'"]?',
+            message: 'NODE_TLS_REJECT_UNAUTHORIZED is set to 0',
+        },
+    },
+    {
+        id: 'javascript/reject-unauthorized-false',
+        severity: 'high',
+        title: 'rejectUnauthorized set to false',
+        description: 'Setting rejectUnauthorized: false disables TLS certificate verification.',
+        matcher: {
+            type: 'regex',
+            fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+            pattern: '\\brejectUnauthorized\\s*:\\s*false\\b',
+            message: 'rejectUnauthorized appears to be set to false',
+        },
+    },
+];
+function getJavaScriptRules() {
+    return exports.JAVASCRIPT_RULES;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAkEA,gDAEC;AAlEY,QAAA,gBAAgB,GAAW;IACtC;QACE,EAAE,EAAE,2BAA2B;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,0EAA0E;QACvF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,sBAAsB,CAAC;YACnC,OAAO,EAAE,gBAAgB;YACzB,OAAO,EAAE,uBAAuB;SACjC;KACF;IACD;QACE,EAAE,EAAE,mCAAmC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,+EAA+E;QAC5F,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,sBAAsB,CAAC;YACnC,OAAO,EAAE,2BAA2B;YACpC,OAAO,EAAE,+BAA+B;SACzC;KACF;IACD;QACE,EAAE,EAAE,+BAA+B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,sBAAsB,CAAC;YACnC,OAAO,EAAE,6CAA6C;YACtD,OAAO,EAAE,6DAA6D;SACvE;KACF;IACD;QACE,EAAE,EAAE,6CAA6C;QACjD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,8DAA8D;QAC3E,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,sBAAsB,CAAC;YACnC,OAAO,EAAE,uDAAuD;YAChE,OAAO,EAAE,0CAA0C;SACpD;KACF;IACD;QACE,EAAE,EAAE,sCAAsC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,0EAA0E;QACvF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,sBAAsB,CAAC;YACnC,OAAO,EAAE,wCAAwC;YACjD,OAAO,EAAE,+CAA+C;SACzD;KACF;CACF,CAAA;AAED,SAAgB,kBAAkB;IAChC,OAAO,wBAAgB,CAAA;AACzB,CAAC"}

package/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "@reliabilityworks/analyzer-javascript",
+  "version": "0.1.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "lint": "eslint .",
+    "test": "pnpm build && node --test test",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@reliabilityworks/core": "0.1.0"
+  }
+}

package/src/index.ts

@@ -0,0 +1,69 @@
+import type { Rule } from '@reliabilityworks/core'
+
+export const JAVASCRIPT_RULES: Rule[] = [
+  {
+    id: 'javascript/dangerous-eval',
+    severity: 'high',
+    title: 'Use of eval()',
+    description: 'eval() can execute arbitrary code and is often a sign of injection risk.',
+    matcher: {
+      type: 'regex',
+      fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+      pattern: '\\beval\\s*\\(',
+      message: 'eval() usage detected',
+    },
+  },
+  {
+    id: 'javascript/dangerous-new-function',
+    severity: 'high',
+    title: 'Use of new Function()',
+    description: 'The Function constructor evaluates strings as code and can lead to injection.',
+    matcher: {
+      type: 'regex',
+      fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+      pattern: '\\bnew\\s+Function\\s*\\(',
+      message: 'new Function() usage detected',
+    },
+  },
+  {
+    id: 'javascript/child-process-exec',
+    severity: 'high',
+    title: 'Use of child_process.exec/execSync',
+    description:
+      'Executing shell commands from application code can be risky, especially with user-controlled input.',
+    matcher: {
+      type: 'regex',
+      fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+      pattern: '\\bchild_process\\.(?:exec|execSync)\\s*\\(',
+      message: 'child_process.exec or child_process.execSync usage detected',
+    },
+  },
+  {
+    id: 'javascript/tls-reject-unauthorized-disabled',
+    severity: 'critical',
+    title: 'TLS verification disabled',
+    description: 'Disabling TLS verification allows man-in-the-middle attacks.',
+    matcher: {
+      type: 'regex',
+      fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+      pattern: '\\bNODE_TLS_REJECT_UNAUTHORIZED\\s*=\\s*[\'"]?0[\'"]?',
+      message: 'NODE_TLS_REJECT_UNAUTHORIZED is set to 0',
+    },
+  },
+  {
+    id: 'javascript/reject-unauthorized-false',
+    severity: 'high',
+    title: 'rejectUnauthorized set to false',
+    description: 'Setting rejectUnauthorized: false disables TLS certificate verification.',
+    matcher: {
+      type: 'regex',
+      fileGlobs: ['**/*.{js,jsx,ts,tsx}'],
+      pattern: '\\brejectUnauthorized\\s*:\\s*false\\b',
+      message: 'rejectUnauthorized appears to be set to false',
+    },
+  },
+]
+
+export function getJavaScriptRules(): Rule[] {
+  return JAVASCRIPT_RULES
+}

package/test/smoke.test.js

@@ -0,0 +1,16 @@
+const assert = require('node:assert/strict')
+const test = require('node:test')
+
+test('analyzer exports javascript rules', async () => {
+  const mod = require('../dist/index.js')
+  assert.ok(mod)
+
+  assert.equal(typeof mod.getJavaScriptRules, 'function')
+  const rules = mod.getJavaScriptRules()
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length > 0)
+
+  const ids = new Set(rules.map((r) => r.id))
+  assert.ok(ids.has('javascript/dangerous-eval'))
+  assert.ok(ids.has('javascript/tls-reject-unauthorized-disabled'))
+})

package/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src/**/*.ts"]
+}